http://security.debian.org/ Debian Security Advisories 2018-06-22T23:33:21+00:00 https://www.debian.org/security/2018/dsa-4233 <p>It was discovered that the low-level interface to the RSA key pair generator of Bouncy Castle (a Java implementation of cryptographic algorithms) could perform less Miller-Rabin primality tests than expected.</p> 2018-06-22 https://www.debian.org/security/2018/dsa-4232 <p>This update provides mitigations for the <q>lazy FPU</q> vulnerability affecting a range of Intel CPUs, which could result in leaking CPU register states belonging to another vCPU previously scheduled on the same CPU. For additional information please refer to <a href="https://xenbits.xen.org/xsa/advisory-267.html">https://xenbits.xen.org/xsa/advisory-267.html</a></p> 2018-06-20 https://www.debian.org/security/2018/dsa-4231 <p>It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.</p> 2018-06-17 https://www.debian.org/security/2018/dsa-4230 <p>Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a persistent key-value database, which could result in denial of service.</p> 2018-06-17 https://www.debian.org/security/2018/dsa-4229 <p>Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite.</p> 2018-06-14 https://www.debian.org/security/2018/dsa-4228 <p>Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in cross-site scripting and PHP injection.</p> 2018-06-14 https://www.debian.org/security/2018/dsa-4227 <p>Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive.</p> 2018-06-12 https://www.debian.org/security/2018/dsa-4226 <p>Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.</p> 2018-06-12 https://www.debian.org/security/2018/dsa-4225 <p>Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation.</p> 2018-06-10 https://www.debian.org/security/2018/dsa-4224 <p>Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.</p> 2018-06-08 https://www.debian.org/security/2018/dsa-4223 <p>Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.</p> 2018-06-08 https://www.debian.org/security/2018/dsa-4222 <p>Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.</p> 2018-06-08 https://www.debian.org/security/2018/dsa-4221 <p>Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents.</p> 2018-06-08 https://www.debian.org/security/2018/dsa-4220 <p>Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code.</p> 2018-06-08 https://www.debian.org/security/2018/dsa-4219 <p>Several vulnerabilities were discovered in jruby, a Java implementation of the Ruby programming language. They would allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.</p> 2018-06-08 https://www.debian.org/security/2018/dsa-4218 <p>Several vulnerabilities were discovered in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following problems:</p> 2018-06-06 https://www.debian.org/security/2018/dsa-4217 <p>It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC, IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code.</p> 2018-06-03 https://www.debian.org/security/2018/dsa-4216 <p>It was discovered that Prosody, a lightweight Jabber/XMPP server, does not properly validate client-provided parameters during XMPP stream restarts, allowing authenticated users to override the realm associated with their session, potentially bypassing security policies and allowing impersonation.</p> 2018-06-02 https://www.debian.org/security/2018/dsa-4215 <p>Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a toolkit for processing SVG images, did not properly validate its input. This would allow an attacker to cause a denial-of-service, mount cross-site scripting attacks, or access restricted files on the server.</p> 2018-06-02 https://www.debian.org/security/2018/dsa-4214 <p>It was discovered that Zookeeper, a service for maintaining configuration information, enforced no authentication/authorisation when a server attempts to join a Zookeeper quorum.</p> 2018-06-01 https://www.debian.org/security/2018/dsa-4213 <p>Several vulnerabilities were discovered in qemu, a fast processor emulator.</p> 2018-05-29 https://www.debian.org/security/2018/dsa-4212 <p>Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file.</p> 2018-05-29 https://www.debian.org/security/2018/dsa-4211 <p>Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party could manipulate the parameters used by the browser when opened. This manipulation could set, for example, a proxy to which the network traffic could be intercepted for that particular execution.</p> 2018-05-25 https://www.debian.org/security/2018/dsa-4210 <p>This update provides mitigations for the Spectre v4 variant in x86-based micro processors. On Intel CPUs this requires updated microcode which is currently not released publicly (but your hardware vendor may have issued an update). For servers with AMD CPUs no microcode update is needed, please refer to <a href="https://xenbits.xen.org/xsa/advisory-263.html">https://xenbits.xen.org/xsa/advisory-263.html</a> for further information.</p> 2018-05-25 https://www.debian.org/security/2018/dsa-4209 <p>Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails.</p> 2018-05-25